MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396ce7128d66f4693a84c9a7433d5154d3f356e03e61e71a0492177d108c3a95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	396ce7128d66f4693a84c9a7433d5154d3f356e03e61e71a0492177d108c3a95
SHA3-384 hash:	49d74bb8597e6dd157455d0c27a8429bb4d0970ff7d15dc8cd3d779ad2db472f47b7ef02460a6326626a95cd8c987848
SHA1 hash:	211397725cc487bfbe62c725d8ca89eb69feffc6
MD5 hash:	dba551ec4fbb437729d1d97ea4399bb6
humanhash:	summer-papa-don-south
File name:	9ca539d2a41bd6e1a594f9f7b14a0baa.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	103'936 bytes
First seen:	2020-04-03 19:28:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep	1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bK:cI8CxFVxAMNJKu+xVE0TK
Threatray	423 similar samples on MalwareBazaar
TLSH	4FA39D2373D14439F67102B02CB97E79CABFFE380221855BD72456876B31994EA263A3
Reporter	abuse_ch
Tags:	AveMariaRAT exe GuLoader

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1itTFq4yafBv9mreymPA8O3nVeSgY0JZD

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Agentb

Status:

Malicious

First seen:

2020-04-03 19:35:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 30 (90.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

6eb590a11b5310606564853be8c43179b95ee93c3a4c8c3ea8f011819a3b2337

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

9c62d911a4efd2a37364d26439085d493ca2ab7e4b0fa90ba2f5d937e99e5bdf

AveMariaRAT

9ce5eb576c72ecc29eabbbece917f1873bf4f5782485b22549dfbb6ff1d56f58

AveMariaRAT

b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc

AveMariaRAT

c9d35153c2220d608ca08a3e4b26bd01a105e9e99c2bbc6c464f629f6ab472cb

AveMariaRAT

e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d

AveMariaRAT

+ 413 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

0de1cea5c69629b21f9ebb2f060de0840d468a767300f2df14daa651620f718a

AveMariaRAT

exe 396ce7128d66f4693a84c9a7433d5154d3f356e03e61e71a0492177d108c3a95

(this sample)

Dropped by

MD5 9ca539d2a41bd6e1a594f9f7b14a0baa

Dropped by

MD5 451f22864f02d8354ef1929ef34cc754

Dropped by

GuLoader

Dropped by

SHA256 0de1cea5c69629b21f9ebb2f060de0840d468a767300f2df14daa651620f718a

Dropped by

SHA256 171644c285a40e62582872888785dbab71e8714550ac34ce9098039bfb67161b

URLhaus

https://urlhaus.abuse.ch/url/334731/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteExW
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW SHELL32.dll::SHCreateDirectoryExW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::InetNtopW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::StartServiceW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample